Ok but you should use passphrases. Better to type and remember in case you need to
There are instances where sites prevent copy-paste, or you are on another machine without your password manager available
this post was submitted on 04 Oct 2025
319 points (93.0% liked)
Today I Learned
25135 readers
601 users here now
What did you learn today? Share it with us!
We learn something new every day. This is a community dedicated to informing each other and helping to spread knowledge.
The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:
Rules (interactive)
Rule 1- All posts must begin with TIL. Linking to a source of info is optional, but highly recommended as it helps to spark discussion.
** Posts must be about an actual fact that you have learned, but it doesn't matter if you learned it today. See Rule 6 for all exceptions.**
Rule 2- Your post subject cannot be illegal or NSFW material.
Your post subject cannot be illegal or NSFW material. You will be warned first, banned second.
Rule 3- Do not seek mental, medical and professional help here.
Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.
Rule 4- No self promotion or upvote-farming of any kind.
That's it.
Rule 5- No baiting or sealioning or promoting an agenda.
Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.
Rule 6- Regarding non-TIL posts.
Provided it is about the community itself, you may post non-TIL posts using the [META] tag on your post title.
Rule 7- You can't harass or disturb other members.
If you vocally harass or discriminate against any individual member, you will be removed.
Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.
For further explanation, clarification and feedback about this rule, you may follow this link.
Rule 8- All comments should try to stay relevant to their parent content.
Rule 9- Reposts from other platforms are not allowed.
Let everyone have their own content.
Rule 10- Majority of bots aren't allowed to participate here.
Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.
Partnered Communities
You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.
Community Moderation
For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.
founded 2 years ago
MODERATORS
If you have a password vault, use the vault first.
For rotating PC login credentials, I use codified passphrases. They typically meet security needs, are unique and nearly unguessable because it could be ANYTHING in your office, and don't contain dictionary words. Example:
Annual evaluations are due before summer. Be sure to mention the Grodsky project! aeadB4S.Bs2mtGp.
Where did Julie's candy go? I ate it! She'll never know >:D
WdJcg?I8i!Snn>:D
Even if I had a perfectly secure connection, I'm still getting a password from a service that could be tracking me.
Adding these symbols adds no security and just makes passwords harder to remember and type. If you dont use very common dictionary words, brute forcing will likely be just letter by letter
I want to be clear that what I'm about to say only refers to compromised systems where the password database has already been exfiltrated and systems that do not lock or otherwise slow down attackers.
A system where the passwords are inaccessible, requires periodic password changes, enforces complexity, and locks out invalid attempts probably is fine, but I'll get there.
A password cracking tool will typically start with lists of known passwords, then it will move on to dictionary words. If the attacker has any personal information, and the means to add it, they will give priority to that information. Phrases with multiple words are more likely, and will be tested next. These dictionary attacks are run first because on a fast enough system they can crack a password in weeks. Munging standard spelling increases the entropy here, increasing the number of attempts to guess a password.
From here, an attacker must start brute force, which tries to decipher your password one character at a time. Adding uppercase characters doubles the number of characters, but that is still super quick to crack. Adding numbers begins to increase the time, but all this is going to be checked within hours or days depending on the length of the password and the resources the attacker is committing.
Adding special characters significantly increases the amount of time because just the standard (33?) characters characters easily accessible on a common US Qwerty keyboard multiples the checks that many times, per each character in the password.
So, uncommonly misspelled words and sprinkled in characters increase the security of your accounts over just dictionary words. This would guard a person's reputation at work if anyone got their company's AD password file out without notice, as well as one's security if their browser's password store is compromised. Also, some people refuse to follow proper security for convenience, and it is sometimes possible to find a service that will allow rapid password attempts.
load more comments
(3 replies)
WdJcg?I8i!Sn~~n~~k>:D
I didn't type this right in the first place, but it DOES bring up a point.
Substituting symbols for letters, we always called it leet speak—but Wikipedia calls it munged—used to be considered safe quite some time ago.
It's better not to use real words because it makes it easier for password cracking tools. If you have to, it is better to mung them, but also misspell them.
pY@zvvuD is much stronger than p@55w0rd, even if it is harder to remember. In the same vein, my bunged password would have been slightly more secure, even if someone had found my pass phrase. But in my case, my password sucked because I would have probably come back trying to put a k at the end. I have munged them like that in the past, but it is extra to remember.
That's great if you only have a couple of online accounts, but get past a few dozen and you're toast. I don't know about you, but I sure can't remember 50+ unique pass phrases. However, I can remember the one for my password manager, which has 30+ random character passwords for all my accounts.
Passphrases are easier when you need to enter the password on a system that isn't logged into your vault, even if they are longer. I usually default to 3 word passphrase + random number at the end of a word + random special character in the middle of a word.
You didnt read my comment
typing passwords
Pass phrases for things that need to be human readable/rememberable.
Generated strings for everything else.
Because a pass phrase is inherently vulnerable to a dictionary attack because... it is words. You can obfuscate that but all the ways that would actually not compromise the readability are also pretty well known (whether that is "a=@" or "every 'e' is a 'b'" and so forth.
Is a 96 character pass phrase meaningfully more vulnerable than a 16 character generated string? That gets into the realm of hypotheticals and "one day we'll have quantum computers" but you are generally looking at a situation where everything is fucked anyway or there is a very targeted attack on you... at which point "hmm. 96 characters? Must be a pass phrase". So... not the venue to discuss.
But, at that point... if you are using a password manager/vault anyway...
Also the reality is that anyone who has ever dealt with a bank or some other "legacy" website rapidly learns that there are max lengths for passwords because they are more afraid of allocating a few extra megabytes for the SQL database than anything else. At which point your pass phrase goes out the window and you are back to "p@$$w0rd" level bullshit (or, better yet, you have a mental model/style of password).
Passphrases everywhere, add dialect to make it harder, symbols if you like. Crazy but short passwords for limitations
Or just use a locally hosted password generator for one that isn't handfed to you by a for-profit company...
Alternatively, you can just roll your face on the keyboard and then take a screenshot of the resulting password to save it. 🤷♂️
That's what I'm thinking. Is it really so hard to just make up s random string of symbols? I do it all the time but use acronym type things to remember it.
It can also generate UUIDs. Very useful.
Why not local
Like just generate an md5 hash, truncate it to whatever arbitrary number the shitty website decided is their password length limit, then store it in an encrypted db
Of course this is just a long way of reinventing keepass/1password/bitwarden/icloud keychain/etc
If you’re already generating an md5 and truncating it (an md5 of what?), you might as well use pwgen.
An md5 of whatever string pops in your head at that moment. True randomness is a persons nonsequitors
This makes sense. I had no idea what tools existed because as mentioned many db solutions exist for this
I haven't in a while, but back when I generated passwords for users, I would use the openssl command.